Skip to content

Collecting offenses metadata and generating metrics using ELK stack

License

Notifications You must be signed in to change notification settings

Cyb3rSn0rlax/ELK4QRADAR

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ELK4QRADAR

This project is made to help SOC MSSP teams that use QRadar with multiple clients to collecte and centralize monitoring statistics from all QRadar deployments. Diagram

Steps

  1. PUT _template/<YOUR_TEMPLATE_NAME>. In this repository we provide an index template that you can in your Elastic Stack
  2. Populate the YAML files in /etc/logstash with the appropriate data to your context. We Provide samples in this project:
    • timezone.yml: Contains dictionary of client name and their correspondant timezones.
    • clientnames.yml : Contains a dictionary of input configuration tags and their correspondant client names
  3. Copy conf.d configuration in your Logstash conf.d folder and customize to your needs.
  4. Create a /home/USER/Offenses/ folder to save the extracted search data from QRadar in CSV.
  5. Create the following scripted fields in Kibana
Name Lang Script Format
offense.day_of_week painless doc['@timestamp'].value.dayOfWeekEnum String
offense.hour_of_day painless doc['@timestamp'].value.hourOfDay Number

Metrics samples

  1. Busiest Days

BusiestDays

  1. Busiest Hours

BusiestHours

  1. Offenses average by day of week

DayofthWeek_by_Offense_avg

Tasks

  • Adding more AQL queries and searches
  • Automating the collectiong process
  • Moving from CSV -> JSON data format

About

Collecting offenses metadata and generating metrics using ELK stack

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages